diff --git a/runbot/controllers/frontend.py b/runbot/controllers/frontend.py index ebb8a4f9..b35a407b 100644 --- a/runbot/controllers/frontend.py +++ b/runbot/controllers/frontend.py @@ -210,6 +210,8 @@ class Runbot(Controller): '/runbot/bundle//force/', ], type='http', auth="user", methods=['GET', 'POST'], csrf=False) def force_bundle(self, bundle, auto_rebase=False, **_post): + if not self.env.user.has_group('runbot.group_runbot_advanced_user'): + raise Forbidden("Only users with a specific group can do that. Please contact runbot administrators") _logger.info('user %s forcing bundle %s', request.env.user.name, bundle.name) # user must be able to read bundle batch = bundle.sudo()._force() batch._log('Batch forced by %s', request.env.user.name)